Storm Worm - New Valentines Day e-card Attacks
After some "test runs" in early February, new waves of the Storm worm are now surfacing using Valentine's Day themes. These spammed email messages are designed to trick individuals into visiting the malicious websites (uses numeric IP addresses and lacks more detailed personalization that one would find in true e-cards sent this time of year).
If the associated EXE file lurking on the website is opened, the malware can automatically install silently on the system. This new wave of attacks is not well detected by AV products, as the malware agent is being constantly changed each hour automatically.
Avoid these emails completely, so you don't end up broken-hearted on Valentine's Day
Storm Worm - Valentines Day e-card Attacks
QUOTE: With Valentine’s Day coming this week, we have seen a new wave of Nuwar spamming this Monday evening, amounting to more than 20 variants in a couple of hours. Detection for these variants from major AV vendors was near nonexistent, as the Nuwar writer is using a new compiler this time to bypass detection.
While we saw the Valentine’s day campaign start in January, it’s morphed. This time using the following approaches (some old, some new)
-- raw IP addresses in the spam lures
-- the filename is now “valentine.exe”, using a redirect and a clickable link
-- much more simple HTML websites
-- subjects include “Blind Love”, “Just You” and other warm fuzzy subjects
-- rapidly changing MD5 hashes
-- poor AV detection
EXAMPLE TO AVOID
Subject: Sweetest Things Aren't Things!
Date: Mon, 11 Feb 2008 13:13:58 +0900
Text: Love Poem: (Malicous Numeric IP address removed)